[
https://issues.apache.org/jira/browse/THRIFT-3979?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15685428#comment-15685428
]
James E. King, III commented on THRIFT-3979:
--------------------------------------------
Okay, here's the problem that I have with that: it isn't secure. A client
could spend the time to find out other client's session tokens through a brute
force attack.
A much more secure mechanism is to have the server track a unique id per
connected session. The client cannot spoof such a thing, especially if the
server implements both encryption and authentication.
I suggest that we recommend closing this issue as "Won't Fix" providing
guidance to use the THeaderProtocol if someone wants to pass connection
metadata with requests?
I suggest that we also open a new ticket to track the addition of server-side
secure state tracking.
> offer TExtendedBinaryProtocol for customers
> -------------------------------------------
>
> Key: THRIFT-3979
> URL: https://issues.apache.org/jira/browse/THRIFT-3979
> Project: Thrift
> Issue Type: Story
> Components: Wish List
> Affects Versions: 0.9.3
> Reporter: Xiaoshuang LU
>
> Sometimes, customers wanna put some options (whatever customers want) in each
> request and response. And these options ought to be transparent for
> applications.
> Unfortunately, thrift protocol does not have good extensibility for extra
> functionalities. I would like to propose the following solution to address
> this issue.
> 1. TMessage adds a new field called "options"
> 2. customers set "options"
> 3. TExtendedBinaryProtocol writes "options" when "writeMessageBegin" invoked
> 4. TExtendedBinaryProtocol reads "options" when "readMessageBegin" invoked
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
